1. 18 Jul, 2017 40 commits
    • James Hogan's avatar
      metag/usercopy: Fix src fixup in from user rapf loops · 8420ce64
      James Hogan authored
      commit 2c0b1df8 upstream.
      
      The fixup code to rewind the source pointer in
      __asm_copy_from_user_{32,64}bit_rapf_loop() always rewound the source by
      a single unit (4 or 8 bytes), however this is insufficient if the fault
      didn't occur on the first load in the loop, as the source pointer will
      have been incremented but nothing will have been stored until all 4
      register [pairs] are loaded.
      
      Read the LSM_STEP field of TXSTATUS (which is already loaded into a
      register), a bit like the copy_to_user versions, to determine how many
      iterations of MGET[DL] have taken place, all of which need rewinding.
      
      Fixes: 373cd784 ("metag: Memory handling")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-metag@vger.kernel.org
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8420ce64
    • James Hogan's avatar
      metag/usercopy: Set flags before ADDZ · b66d946e
      James Hogan authored
      commit fd40eee1 upstream.
      
      The fixup code for the copy_to_user rapf loops reads TXStatus.LSM_STEP
      to decide how far to rewind the source pointer. There is a special case
      for the last execution of an MGETL/MGETD, since it leaves LSM_STEP=0
      even though the number of MGETLs/MGETDs attempted was 4. This uses ADDZ
      which is conditional upon the Z condition flag, but the AND instruction
      which masked the TXStatus.LSM_STEP field didn't set the condition flags
      based on the result.
      
      Fix that now by using ANDS which does set the flags, and also marking
      the condition codes as clobbered by the inline assembly.
      
      Fixes: 373cd784 ("metag: Memory handling")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-metag@vger.kernel.org
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b66d946e
    • James Hogan's avatar
      metag/usercopy: Zero rest of buffer from copy_from_user · d673d3f9
      James Hogan authored
      commit 563ddc10 upstream.
      
      Currently we try to zero the destination for a failed read from userland
      in fixup code in the usercopy.c macros. The rest of the destination
      buffer is then zeroed from __copy_user_zeroing(), which is used for both
      copy_from_user() and __copy_from_user().
      
      Unfortunately we fail to zero in the fixup code as D1Ar1 is set to 0
      before the fixup code entry labels, and __copy_from_user() shouldn't even
      be zeroing the rest of the buffer.
      
      Move the zeroing out into copy_from_user() and rename
      __copy_user_zeroing() to raw_copy_from_user() since it no longer does
      any zeroing. This also conveniently matches the name needed for
      RAW_COPY_USER support in a later patch.
      
      Fixes: 373cd784 ("metag: Memory handling")
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-metag@vger.kernel.org
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d673d3f9
    • James Hogan's avatar
      metag/usercopy: Add early abort to copy_to_user · f81f3b14
      James Hogan authored
      commit fb8ea062 upstream.
      
      When copying to userland on Meta, if any faults are encountered
      immediately abort the copy instead of continuing on and repeatedly
      faulting, and worse potentially copying further bytes successfully to
      subsequent valid pages.
      
      Fixes: 373cd784 ("metag: Memory handling")
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-metag@vger.kernel.org
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f81f3b14
    • James Hogan's avatar
      metag/usercopy: Fix alignment error checking · 22aa0caf
      James Hogan authored
      commit 22572119 upstream.
      
      Fix the error checking of the alignment adjustment code in
      raw_copy_from_user(), which mistakenly considers it safe to skip the
      error check when aligning the source buffer on a 2 or 4 byte boundary.
      
      If the destination buffer was unaligned it may have started to copy
      using byte or word accesses, which could well be at the start of a new
      (valid) source page. This would result in it appearing to have copied 1
      or 2 bytes at the end of the first (invalid) page rather than none at
      all.
      
      Fixes: 373cd784 ("metag: Memory handling")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-metag@vger.kernel.org
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      22aa0caf
    • James Hogan's avatar
      metag/usercopy: Drop unused macros · f1c66ec4
      James Hogan authored
      commit ef62a2d8 upstream.
      
      Metag's lib/usercopy.c has a bunch of copy_from_user macros for larger
      copies between 5 and 16 bytes which are completely unused. Before fixing
      zeroing lets drop these macros so there is less to fix.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: linux-metag@vger.kernel.org
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f1c66ec4
    • Wei Yongjun's avatar
      ring-buffer: Fix return value check in test_ringbuffer() · 0fe5f305
      Wei Yongjun authored
      commit 62277de7 upstream.
      
      In case of error, the function kthread_run() returns ERR_PTR()
      and never returns NULL. The NULL test in the return value check
      should be replaced with IS_ERR().
      
      Link: http://lkml.kernel.org/r/1466184839-14927-1-git-send-email-weiyj_lk@163.com
      
      Fixes: 6c43e554 ("ring-buffer: Add ring buffer startup selftest")
      Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0fe5f305
    • Horia Geantă's avatar
      crypto: caam - fix RNG deinstantiation error checking · 9421a4cd
      Horia Geantă authored
      commit 40c98cb5 upstream.
      
      RNG instantiation was previously fixed by
      commit 62743a41 ("crypto: caam - fix RNG init descriptor ret. code checking")
      while deinstantiation was not addressed.
      
      Since the descriptors used are similar, in the sense that they both end
      with a JUMP HALT command, checking for errors should be similar too,
      i.e. status code 7000_0000h should be considered successful.
      
      Fixes: 1005bccd ("crypto: caam - enable instantiation of all RNG4 state handles")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9421a4cd
    • Oliver O'Halloran's avatar
      powerpc/64: Fix flush_(d|i)cache_range() called from modules · 92f27aff
      Oliver O'Halloran authored
      commit 8f5f525d upstream.
      
      When the kernel is compiled to use 64bit ABIv2 the _GLOBAL() macro does
      not include a global entry point. A function's global entry point is
      used when the function is called from a different TOC context and in the
      kernel this typically means a call from a module into the vmlinux (or
      vice-versa).
      
      There are a few exported asm functions declared with _GLOBAL() and
      calling them from a module will likely crash the kernel since any TOC
      relative load will yield garbage.
      
      flush_icache_range() and flush_dcache_range() are both exported to
      modules, and use the TOC, so must use _GLOBAL_TOC().
      
      Fixes: 721aeaa9 ("powerpc: Build little endian ppc64 kernel with ABIv2")
      Signed-off-by: default avatarOliver O'Halloran <oohall@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      92f27aff
    • Nicholas Piggin's avatar
      powerpc/kernel: Use kprobe blacklist for asm functions · 958bc332
      Nicholas Piggin authored
      commit 6f698df1 upstream.
      
      Rather than forcing the whole function into the ".kprobes.text" section,
      just add the symbol's address to the kprobe blacklist.
      
      This also lets us drop the three versions of the_KPROBE macro, in
      exchange for just one version of _ASM_NOKPROBE_SYMBOL - which is a good
      cleanup.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      958bc332
    • Guillaume Nault's avatar
      l2tp: take reference on sessions being dumped · 29a77518
      Guillaume Nault authored
      commit e08293a4 upstream.
      
      Take a reference on the sessions returned by l2tp_session_find_nth()
      (and rename it l2tp_session_get_nth() to reflect this change), so that
      caller is assured that the session isn't going to disappear while
      processing it.
      
      For procfs and debugfs handlers, the session is held in the .start()
      callback and dropped in .show(). Given that pppol2tp_seq_session_show()
      dereferences the associated PPPoL2TP socket and that
      l2tp_dfs_seq_session_show() might call pppol2tp_show(), we also need to
      call the session's .ref() callback to prevent the socket from going
      away from under us.
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Fixes: 0ad66140 ("l2tp: Add debugfs files for dumping l2tp debug info")
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      29a77518
    • Paul Mackerras's avatar
      powerpc: Don't try to fix up misaligned load-with-reservation instructions · 2a55683f
      Paul Mackerras authored
      commit 48fe9e94 upstream.
      
      In the past, there was only one load-with-reservation instruction,
      lwarx, and if a program attempted a lwarx on a misaligned address, it
      would take an alignment interrupt and the kernel handler would emulate
      it as though it was lwzx, which was not really correct, but benign since
      it is loading the right amount of data, and the lwarx should be paired
      with a stwcx. to the same address, which would also cause an alignment
      interrupt which would result in a SIGBUS being delivered to the process.
      
      We now have 5 different sizes of load-with-reservation instruction. Of
      those, lharx and ldarx cause an immediate SIGBUS by luck since their
      entries in aligninfo[] overlap instructions which were not fixed up, but
      lqarx overlaps with lhz and will be emulated as such. lbarx can never
      generate an alignment interrupt since it only operates on 1 byte.
      
      To straighten this out and fix the lqarx case, this adds code to detect
      the l[hwdq]arx instructions and return without fixing them up, resulting
      in a SIGBUS being delivered to the process.
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2a55683f
    • Suzuki K Poulose's avatar
      kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd · 2a992347
      Suzuki K Poulose authored
      commit 8b3405e3 upstream.
      
      In kvm_free_stage2_pgd() we don't hold the kvm->mmu_lock while calling
      unmap_stage2_range() on the entire memory range for the guest. This could
      cause problems with other callers (e.g, munmap on a memslot) trying to
      unmap a range. And since we have to unmap the entire Guest memory range
      holding a spinlock, make sure we yield the lock if necessary, after we
      unmap each PUD range.
      
      Fixes: commit d5d8184d ("KVM: ARM: Memory virtualization setup")
      Cc: Paolo Bonzini <pbonzin@redhat.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Christoffer Dall <christoffer.dall@linaro.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      [ Avoid vCPU starvation and lockup detector warnings ]
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      [bwh: Backported to 3.16:
       - unmap_stage2_range() is a wrapper around unmap_range(), which is also used for
         HYP page table setup.  So unmap_range() should do the cond_resched_lock(), but
         only if kvm != NULL.
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2a992347
    • Yuejie Shi's avatar
      af_key: Add lock to key dump · fd75aee7
      Yuejie Shi authored
      commit 89e357d8 upstream.
      
      A dump may come in the middle of another dump, modifying its dump
      structure members. This race condition will result in NULL pointer
      dereference in kernel. So add a lock to prevent that race.
      
      Fixes: 83321d6b ("[AF_KEY]: Dump SA/SP entries non-atomically")
      Signed-off-by: default avatarYuejie Shi <syjcnss@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fd75aee7
    • Nicholas Bellinger's avatar
      iscsi-target: Drop work-around for legacy GlobalSAN initiator · c136bc3a
      Nicholas Bellinger authored
      commit 1c99de98 upstream.
      
      Once upon a time back in 2009, a work-around was added to support
      the GlobalSAN iSCSI initiator v3.3 for MacOSX, which during login
      did not propose nor respond to MaxBurstLength, FirstBurstLength,
      DefaultTime2Wait and DefaultTime2Retain keys.
      
      The work-around in iscsi_check_proposer_for_optional_reply()
      allowed the missing keys to be proposed, but did not require
      waiting for a response before moving to full feature phase
      operation.  This allowed GlobalSAN v3.3 to work out-of-the
      box, and for many years we didn't run into login interopt
      issues with any other initiators..
      
      Until recently, when Martin tried a QLogic 57840S iSCSI Offload
      HBA on Windows 2016 which completed login, but subsequently
      failed with:
      
          Got unknown iSCSI OpCode: 0x43
      
      The issue was QLogic MSFT side did not propose DefaultTime2Wait +
      DefaultTime2Retain, so LIO proposes them itself, and immediately
      transitions to full feature phase because of the GlobalSAN hack.
      However, the QLogic MSFT side still attempts to respond to
      DefaultTime2Retain + DefaultTime2Wait, even though LIO has set
      ISCSI_FLAG_LOGIN_NEXT_STAGE3 + ISCSI_FLAG_LOGIN_TRANSIT
      in last login response.
      
      So while the QLogic MSFT side should have been proposing these
      two keys to start, it was doing the correct thing per RFC-3720
      attempting to respond to proposed keys before transitioning to
      full feature phase.
      
      All that said, recent versions of GlobalSAN iSCSI (v5.3.0.541)
      does correctly propose the four keys during login, making the
      original work-around moot.
      
      So in order to allow QLogic MSFT to run unmodified as-is, go
      ahead and drop this long standing work-around.
      Reported-by: default avatarMartin Svec <martin.svec@zoner.cz>
      Cc: Martin Svec <martin.svec@zoner.cz>
      Cc: Himanshu Madhani <Himanshu.Madhani@cavium.com>
      Cc: Arun Easi <arun.easi@cavium.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c136bc3a
    • Song Hongyan's avatar
      iio: hid-sensor-attributes: Fix sensor property setting failure. · dc49f841
      Song Hongyan authored
      commit bba6d9e4 upstream.
      
      When system bootup without get sensor property, set sensor
      property will be fail.
      
      If no get_feature operation done before set_feature, the sensor
      properties will all be the initialized value, which is not the
      same with sensor real properties. When set sensor property it will
      write back to sensor the changed perperty data combines with other
      sensor properties data, it is not right and may be dangerous.
      
      In order to get all sensor properties, choose to read one of the sensor
      properties(no matter read any sensor peroperty, driver will get all
      the peroperties and return the requested one).
      
      Fixes: 73c6768b ("iio: hid-sensors: Common attribute and trigger")
      Signed-off-by: default avatarSong Hongyan <hongyan.song@intel.com>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      [bwh: Backported to 3.16:
       - sensor_hub_get_feature() doesn't take a 'buffer_size' parameter
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dc49f841
    • Nikolaus Schulz's avatar
      iio: core: Fix IIO_VAL_FRACTIONAL_LOG2 for negative values · 2c10d3e6
      Nikolaus Schulz authored
      commit 7fd6592d upstream.
      
      Fix formatting of negative values of type IIO_VAL_FRACTIONAL_LOG2 by
      switching from do_div(), which can't handle negative numbers, to
      div_s64_rem().  Also use shift_right for shifting, which is safe with
      negative values.
      Signed-off-by: default avatarNikolaus Schulz <nikolaus.schulz@avionic-design.de>
      Reviewed-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      [bwh: Backported to 3.16:
       - Use vals[] instead of tmp{0,1}
       - Keep using sprintf()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2c10d3e6
    • Michal Nazarewicz's avatar
      include/linux/kernel.h: change abs() macro so it uses consistent return type · bc11e0dc
      Michal Nazarewicz authored
      commit 8f57e4d9 upstream.
      
      Rewrite abs() so that its return type does not depend on the
      architecture and no unexpected type conversion happen inside of it.  The
      only conversion is from unsigned to signed type.  char is left as a
      return type but treated as a signed type regradless of it's actual
      signedness.
      
      With the old version, int arguments were promoted to long and depending
      on architecture a long argument might result in s64 or long return type
      (which may or may not be the same).
      
      This came after some back and forth with Nicolas.  The current macro has
      different return type (for the same input type) depending on
      architecture which might be midly iritating.
      
      An alternative version would promote to int like so:
      
      	#define abs(x)	__abs_choose_expr(x, long long,			\
      			__abs_choose_expr(x, long,			\
      			__builtin_choose_expr(				\
      				sizeof(x) <= sizeof(int),		\
      				({ int __x = (x); __x<0?-__x:__x; }),	\
      				((void)0))))
      
      I have no preference but imagine Linus might.  :] Nicolas argument against
      is that promoting to int causes iconsistent behaviour:
      
      	int main(void) {
      		unsigned short a = 0, b = 1, c = a - b;
      		unsigned short d = abs(a - b);
      		unsigned short e = abs(c);
      		printf("%u %u\n", d, e);  // prints: 1 65535
      	}
      
      Then again, no sane person expects consistent behaviour from C integer
      arithmetic.  ;)
      
      Note:
      
        __builtin_types_compatible_p(unsigned char, char) is always false, and
        __builtin_types_compatible_p(signed char, char) is also always false.
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Reviewed-by: default avatarNicolas Pitre <nico@linaro.org>
      Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Cc: Wey-Yi Guy <wey-yi.w.guy@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bc11e0dc
    • Michal Nazarewicz's avatar
      kernel.h: make abs() work with 64-bit types · 5ab49e93
      Michal Nazarewicz authored
      commit c8299cb6 upstream.
      
      For 64-bit arguments, the abs macro casts it to an int which leads to
      lost precision and may cause incorrect results.  To deal with 64-bit
      types abs64 macro has been introduced but still there are places where
      abs macro is used incorrectly.
      
      To deal with the problem, expand abs macro such that it operates on s64
      type when dealing with 64-bit types while still returning long when
      dealing with smaller types.
      
      This fixes one known bug (per John):
      
      The internal clocksteering done for fine-grained error correction uses a
      : logarithmic approximation, so any time adjtimex() adjusts the clock
      : steering, timekeeping_freqadjust() quickly approximates the correct clock
      : frequency over a series of ticks.
      :
      : Unfortunately, the logic in timekeeping_freqadjust(), introduced in commit
      : dc491596 (Rework frequency adjustments to work better w/ nohz),
      : used the abs() function with a s64 error value to calculate the size of
      : the approximated adjustment to be made.
      :
      : Per include/linux/kernel.h: "abs() should not be used for 64-bit types
      : (s64, u64, long long) - use abs64()".
      :
      : Thus on 32-bit platforms, this resulted in the clocksteering to take a
      : quite dampended random walk trying to converge on the proper frequency,
      : which caused the adjustments to be made much slower then intended (most
      : easily observed when large adjustments are made).
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Reported-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Tested-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5ab49e93
    • Guillaume Nault's avatar
      l2tp: take a reference on sessions used in genetlink handlers · b301c9b7
      Guillaume Nault authored
      commit 2777e2ab upstream.
      
      Callers of l2tp_nl_session_find() need to hold a reference on the
      returned session since there's no guarantee that it isn't going to
      disappear from under them.
      
      Relying on the fact that no l2tp netlink message may be processed
      concurrently isn't enough: sessions can be deleted by other means
      (e.g. by closing the PPPOL2TP socket of a ppp pseudowire).
      
      l2tp_nl_cmd_session_delete() is a bit special: it runs a callback
      function that may require a previous call to session->ref(). In
      particular, for ppp pseudowires, the callback is l2tp_session_delete(),
      which then calls pppol2tp_session_close() and dereferences the PPPOL2TP
      socket. The socket might already be gone at the moment
      l2tp_session_delete() calls session->ref(), so we need to take a
      reference during the session lookup. So we need to pass the do_ref
      variable down to l2tp_session_get() and l2tp_session_get_by_ifname().
      
      Since all callers have to be updated, l2tp_session_find_by_ifname() and
      l2tp_nl_session_find() are renamed to reflect their new behaviour.
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b301c9b7
    • Guillaume Nault's avatar
      l2tp: fix duplicate session creation · 877dc0d7
      Guillaume Nault authored
      commit dbdbc73b upstream.
      
      l2tp_session_create() relies on its caller for checking for duplicate
      sessions. This is racy since a session can be concurrently inserted
      after the caller's verification.
      
      Fix this by letting l2tp_session_create() verify sessions uniqueness
      upon insertion. Callers need to be adapted to check for
      l2tp_session_create()'s return code instead of calling
      l2tp_session_find().
      
      pppol2tp_connect() is a bit special because it has to work on existing
      sessions (if they're not connected) or to create a new session if none
      is found. When acting on a preexisting session, a reference must be
      held or it could go away on us. So we have to use l2tp_session_get()
      instead of l2tp_session_find() and drop the reference before exiting.
      
      Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      877dc0d7
    • Guillaume Nault's avatar
      l2tp: ensure session can't get removed during pppol2tp_session_ioctl() · 611ddd1a
      Guillaume Nault authored
      commit 57377d63 upstream.
      
      Holding a reference on session is required before calling
      pppol2tp_session_ioctl(). The session could get freed while processing the
      ioctl otherwise. Since pppol2tp_session_ioctl() uses the session's socket,
      we also need to take a reference on it in l2tp_session_get().
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      611ddd1a
    • Guillaume Nault's avatar
      l2tp: fix race in l2tp_recv_common() · 3129845f
      Guillaume Nault authored
      commit 61b9a047 upstream.
      
      Taking a reference on sessions in l2tp_recv_common() is racy; this
      has to be done by the callers.
      
      To this end, a new function is required (l2tp_session_get()) to
      atomically lookup a session and take a reference on it. Callers then
      have to manually drop this reference.
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3129845f
    • Uwe Kleine-König's avatar
      serial: mxs-auart: Fix baudrate calculation · a3cd4f8c
      Uwe Kleine-König authored
      commit a6040bc6 upstream.
      
      The reference manual for the i.MX28 recommends to calculate the divisor
      as
      
      	divisor = (UARTCLK * 32) / baud rate, rounded to the nearest integer
      
      , so let's do this. For a typical setup of UARTCLK = 24 MHz and baud
      rate = 115200 this changes the divisor from 6666 to 6667 and so the
      actual baud rate improves from 115211.521 Bd (error ≅ 0.01 %) to
      115194.240 Bd (error ≅ 0.005 %).
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a3cd4f8c
    • Stefan Wahren's avatar
      serial: mxs-auart: fix baud rate range · c7c32716
      Stefan Wahren authored
      commit df57cf6a upstream.
      
      Currently mxs-auart doesn't care correctly about the baud rate divisor.
      According to reference manual the baud rate divisor must be between
      0x000000EC and 0x003FFFC0. So calculate the possible baud rate range
      and use it for uart_get_baud_rate().
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Reviewed-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c7c32716
    • Hans de Goede's avatar
      mmc: sdhci: Disable runtime pm when the sdio_irq is enabled · 9af42458
      Hans de Goede authored
      commit 923713b3 upstream.
      
      SDIO cards may need clock to send the card interrupt to the host.
      
      On a cherrytrail tablet with a RTL8723BS wifi chip, without this patch
      pinging the tablet results in:
      
      PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
      64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=78.6 ms
      64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1760 ms
      64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=753 ms
      64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=3.88 ms
      64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=795 ms
      64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1841 ms
      64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=810 ms
      64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1860 ms
      64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=812 ms
      64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=48.6 ms
      
      Where as with this patch I get:
      
      PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
      64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=3.96 ms
      64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1.97 ms
      64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=17.2 ms
      64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=2.46 ms
      64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=2.83 ms
      64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1.40 ms
      64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=2.10 ms
      64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1.40 ms
      64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=2.04 ms
      64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=1.40 ms
      
      Cc: Dong Aisheng <b29396@freescale.com>
      Cc: Ian W MORRISON <ianwmorrison@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Acked-by: default avatarDong Aisheng <aisheng.dong@nxp.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9af42458
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Remove getparam error message · 447ed742
      Thomas Hellstrom authored
      commit 53e16798 upstream.
      
      The mesa winsys sometimes uses unimplemented parameter requests to
      check for features. Remove the error message to avoid bloating the
      kernel log.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarBrian Paul <brianp@vmware.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      447ed742
    • Thomas Hellstrom's avatar
      drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces · ef9e7a11
      Thomas Hellstrom authored
      commit fe25deb7 upstream.
      
      Previously, when a surface was opened using a legacy (non prime) handle,
      it was verified to have been created by a client in the same master realm.
      Relax this so that opening is also allowed recursively if the client
      already has the surface open.
      
      This works around a regression in svga mesa where opening of a shared
      surface is used recursively to obtain surface information.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ef9e7a11
    • Murray McAllister's avatar
      drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl() · dc7d9316
      Murray McAllister authored
      commit 63774069 upstream.
      
      In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is
      used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()),
      which can leak useful addresses to dmesg.
      
      Add check to avoid a size of 0.
      Signed-off-by: default avatarMurray McAllister <murray.mcallister@insomniasec.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dc7d9316
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Type-check lookups of fence objects · 1ab4c8e8
      Thomas Hellstrom authored
      commit f7652afa upstream.
      
      A malicious caller could otherwise hand over handles to other objects
      causing all sorts of interesting problems.
      
      Testing done: Ran a Fedora 25 desktop using both Xorg and
      gnome-shell/Wayland.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1ab4c8e8
    • Nicholas Bellinger's avatar
      iscsi-target: Fix TMR reference leak during session shutdown · c7e911db
      Nicholas Bellinger authored
      commit efb2ea77 upstream.
      
      This patch fixes a iscsi-target specific TMR reference leak
      during session shutdown, that could occur when a TMR was
      quiesced before the hand-off back to iscsi-target code
      via transport_cmd_check_stop_to_fabric().
      
      The reference leak happens because iscsit_free_cmd() was
      incorrectly skipping the final target_put_sess_cmd() for
      TMRs when transport_generic_free_cmd() returned zero because
      the se_cmd->cmd_kref did not reach zero, due to the missing
      se_cmd assignment in original code.
      
      The result was iscsi_cmd and it's associated se_cmd memory
      would be freed once se_sess->sess_cmd_map where released,
      but the associated se_tmr_req was leaked and remained part
      of se_device->dev_tmr_list.
      
      This bug would manfiest itself as kernel paging request
      OOPsen in core_tmr_lun_reset(), when a left-over se_tmr_req
      attempted to dereference it's se_cmd pointer that had
      already been released during normal session shutdown.
      
      To address this bug, go ahead and treat ISCSI_OP_SCSI_CMD
      and ISCSI_OP_SCSI_TMFUNC the same when there is an extra
      se_cmd->cmd_kref to drop in iscsit_free_cmd(), and use
      op_scsi to signal __iscsit_free_cmd() when the former
      needs to clear any further iscsi related I/O state.
      Reported-by: default avatarRob Millner <rlm@daterainc.com>
      Cc: Rob Millner <rlm@daterainc.com>
      Reported-by: default avatarChu Yuan Lin <cyl@datera.io>
      Cc: Chu Yuan Lin <cyl@datera.io>
      Tested-by: default avatarChu Yuan Lin <cyl@datera.io>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c7e911db
    • Sebastian Siewior's avatar
      ubi/upd: Always flush after prepared for an update · 6550ef6f
      Sebastian Siewior authored
      commit 9cd9a21c upstream.
      
      In commit 6afaf8a4 ("UBI: flush wl before clearing update marker") I
      managed to trigger and fix a similar bug. Now here is another version of
      which I assumed it wouldn't matter back then but it turns out UBI has a
      check for it and will error out like this:
      
      |ubi0 warning: validate_vid_hdr: inconsistent used_ebs
      |ubi0 error: validate_vid_hdr: inconsistent VID header at PEB 592
      
      All you need to trigger this is? "ubiupdatevol /dev/ubi0_0 file" + a
      powercut in the middle of the operation.
      ubi_start_update() sets the update-marker and puts all EBs on the erase
      list. After that userland can proceed to write new data while the old EB
      aren't erased completely. A powercut at this point is usually not that
      much of a tragedy. UBI won't give read access to the static volume
      because it has the update marker. It will most likely set the corrupted
      flag because it misses some EBs.
      So we are all good. Unless the size of the image that has been written
      differs from the old image in the magnitude of at least one EB. In that
      case UBI will find two different values for `used_ebs' and refuse to
      attach the image with the error message mentioned above.
      
      So in order not to get in the situation, the patch will ensure that we
      wait until everything is removed before it tries to write any data.
      The alternative would be to detect such a case and remove all EBs at the
      attached time after we processed the volume-table and see the
      update-marker set. The patch looks bigger and I doubt it is worth it
      since usually the write() will wait from time to time for a new EB since
      usually there not that many spare EB that can be used.
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6550ef6f
    • Heiko Carstens's avatar
      s390/uaccess: get_user() should zero on failure (again) · db49ae76
      Heiko Carstens authored
      commit d09c5373 upstream.
      
      Commit fd2d2b19 ("s390: get_user() should zero on failure")
      intended to fix s390's get_user() implementation which did not zero
      the target operand if the read from user space faulted. Unfortunately
      the patch has no effect: the corresponding inline assembly specifies
      that the operand is only written to ("=") and the previous value is
      discarded.
      
      Therefore the compiler is free to and actually does omit the zero
      initialization.
      
      To fix this simply change the contraint modifier to "+", so the
      compiler cannot omit the initialization anymore.
      
      Fixes: c9ca7841 ("s390/uaccess: provide inline variants of get_user/put_user")
      Fixes: fd2d2b19 ("s390: get_user() should zero on failure")
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      db49ae76
    • Guillaume Nault's avatar
      l2tp: purge socket queues in the .destruct() callback · 8f2293a7
      Guillaume Nault authored
      commit e91793bb upstream.
      
      The Rx path may grab the socket right before pppol2tp_release(), but
      nothing guarantees that it will enqueue packets before
      skb_queue_purge(). Therefore, the socket can be destroyed without its
      queues fully purged.
      
      Fix this by purging queues in pppol2tp_session_destruct() where we're
      guaranteed nothing is still referencing the socket.
      
      Fixes: 9e9cb622 ("l2tp: fix userspace reception on plain L2TP sockets")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8f2293a7
    • Mathias Nyman's avatar
      xhci: Manually give back cancelled URB if we can't queue it for cancel · ce339190
      Mathias Nyman authored
      commit d3519b9d upstream.
      
      xhci needs to take care of four scenarios when asked to cancel a URB.
      
      1 URB is not queued or already given back.
        usb_hcd_check_unlink_urb() will return an error, we pass the error on
      
      2 We fail to find xhci internal structures from urb private data such as
        virtual device and endpoint ring.
        Give back URB immediately, can't do anything about internal structures.
      
      3 URB private data has valid pointers to xhci internal data, but host is
        not  responding.
        give back URB immedately and remove the URB from the endpoint lists.
      
      4 Everyting is working
        add URB to cancel list, queue a command to stop the endpoint, after
        which the URB can be turned to no-op or skipped, removed from lists,
        and given back.
      
      We failed to give back the urb in case 2 where the correct device and
      endpoint pointers could not be retrieved from URB private data.
      
      This caused a hang on Dell Inspiron 5558/0VNM2T at resume from suspend
      as urb was never returned.
      
      [  245.270505] INFO: task rtsx_usb_ms_1:254 blocked for more than 120 seconds.
      [  245.272244]       Tainted: G        W       4.11.0-rc3-ARCH #2
      [  245.273983] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [  245.275737] rtsx_usb_ms_1   D    0   254      2 0x00000000
      [  245.277524] Call Trace:
      [  245.279278]  __schedule+0x2d3/0x8a0
      [  245.281077]  schedule+0x3d/0x90
      [  245.281961]  usb_kill_urb.part.3+0x6c/0xa0 [usbcore]
      [  245.282861]  ? wake_atomic_t_function+0x60/0x60
      [  245.283760]  usb_kill_urb+0x21/0x30 [usbcore]
      [  245.284649]  usb_start_wait_urb+0xe5/0x170 [usbcore]
      [  245.285541]  ? try_to_del_timer_sync+0x53/0x80
      [  245.286434]  usb_bulk_msg+0xbd/0x160 [usbcore]
      [  245.287326]  rtsx_usb_send_cmd+0x63/0x90 [rtsx_usb]
      
      Reported-by: diego.viola@gmail.com
      Tested-by: diego.viola@gmail.com
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ce339190
    • Josh Poimboeuf's avatar
      ACPI: Fix incompatibility with mcount-based function graph tracing · 0dc84f3b
      Josh Poimboeuf authored
      commit 61b79e16 upstream.
      
      Paul Menzel reported a warning:
      
        WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0
        Bad frame pointer: expected f6919d98, received f6919db0
          from func acpi_pm_device_sleep_wake return to c43b6f9d
      
      The warning means that function graph tracing is broken for the
      acpi_pm_device_sleep_wake() function.  That's because the ACPI Makefile
      unconditionally sets the '-Os' gcc flag to optimize for size.  That's an
      issue because mcount-based function graph tracing is incompatible with
      '-Os' on x86, thanks to the following gcc bug:
      
        https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109
      
      I have another patch pending which will ensure that mcount-based
      function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on
      x86.
      
      But this patch is needed in addition to that one because the ACPI
      Makefile overrides that config option for no apparent reason.  It has
      had this flag since the beginning of git history, and there's no related
      comment, so I don't know why it's there.  As far as I can tell, there's
      no reason for it to be there.  The appropriate behavior is for it to
      honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the
      kernel.
      Reported-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0dc84f3b
    • James Morse's avatar
      ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal · 01bfe308
      James Morse authored
      commit 7d64f82c upstream.
      
      When removing a GHES device notified by SCI, list_del_rcu() is used,
      ghes_remove() should call synchronize_rcu() before it goes on to call
      kfree(ghes), otherwise concurrent RCU readers may still hold this list
      entry after it has been freed.
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Reviewed-by: default avatar"Huang, Ying" <ying.huang@intel.com>
      Fixes: 81e88fdc (ACPI, APEI, Generic Hardware Error Source POLL/IRQ/NMI notification type support)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      01bfe308
    • Joerg Roedel's avatar
      ACPI: Do not create a platform_device for IOAPIC/IOxAPIC · 4e153cff
      Joerg Roedel authored
      commit 08f63d97 upstream.
      
      No platform-device is required for IO(x)APICs, so don't even
      create them.
      
      [ rjw: This fixes a problem with leaking platform device objects
        after IOAPIC/IOxAPIC hot-removal events.]
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4e153cff
    • Arnd Bergmann's avatar
      virtio_balloon: prevent uninitialized variable use · 3b5d8b04
      Arnd Bergmann authored
      commit f0bb2d50 upstream.
      
      The latest gcc-7.0.1 snapshot reports a new warning:
      
      virtio/virtio_balloon.c: In function 'update_balloon_stats':
      virtio/virtio_balloon.c:258:26: error: 'events[2]' is used uninitialized in this function [-Werror=uninitialized]
      virtio/virtio_balloon.c:260:26: error: 'events[3]' is used uninitialized in this function [-Werror=uninitialized]
      virtio/virtio_balloon.c:261:56: error: 'events[18]' is used uninitialized in this function [-Werror=uninitialized]
      virtio/virtio_balloon.c:262:56: error: 'events[17]' is used uninitialized in this function [-Werror=uninitialized]
      
      This seems absolutely right, so we should add an extra check to
      prevent copying uninitialized stack data into the statistics.
      >From all I can tell, this has been broken since the statistics code
      was originally added in 2.6.34.
      
      Fixes: 9564e138 ("virtio: Add memory statistics reporting to the balloon driver (V4)")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLadi Prosek <lprosek@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3b5d8b04
    • Ladi Prosek's avatar
      virtio_balloon: init 1st buffer in stats vq · 710aa47c
      Ladi Prosek authored
      commit fc865322 upstream.
      
      When init_vqs runs, virtio_balloon.stats is either uninitialized or
      contains stale values. The host updates its state with garbage data
      because it has no way of knowing that this is just a marker buffer
      used for signaling.
      
      This patch updates the stats before pushing the initial buffer.
      
      Alternative fixes:
      * Push an empty buffer in init_vqs. Not easily done with the current
        virtio implementation and violates the spec "Driver MUST supply the
        same subset of statistics in all buffers submitted to the statsq".
      * Push a buffer with invalid tags in init_vqs. Violates the same
        spec clause, plus "invalid tag" is not really defined.
      
      Note: the spec says:
      	When using the legacy interface, the device SHOULD ignore all values in
      	the first buffer in the statsq supplied by the driver after device
      	initialization. Note: Historically, drivers supplied an uninitialized
      	buffer in the first buffer.
      
      Unfortunately QEMU does not seem to implement the recommendation
      even for the legacy interface.
      Signed-off-by: default avatarLadi Prosek <lprosek@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      710aa47c